*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> pam_krb5 (5)              
Title
Content
Arch
Section
 

Contents


 pam_krb5(5)                                                     pam_krb5(5)




 NAME    [Toc]    [Back]
      pam_krb5 - authentication, account, session and password management
      modules for Kerberos 5

 SYNOPSIS    [Toc]    [Back]
      /usr/lib/security/$ISA/libpam_krb5.so.1

 DESCRIPTION    [Toc]    [Back]
      The KRB5 PAM modules allow integration of Kerberos authentication into
      the system entry services (such as login, ftp) using pam.conf(4)
      configuration file. The Kerberos service module for PAM consists of
      the following four modules: Authentication module, Account management
      module, Session management module and Password management module. All
      modules are supported through the same dynamically loadable library.

      The KRB5 PAM modules are compatible with MIT Kerberos 5 and Microsoft
      Windows 2000.

 Authentication Module    [Toc]    [Back]
      The authentication module verifies the user identity and sets the user
      credentials. It passes the authentication key derived from the user's
      password to the Kerberos security service. The security service uses
      the authentication key to verify the user and issues a ticket-granting
      ticket. The credential management function sets user specific
      credentials. It stores the credentials in a cache file and exports the
      environment variable KRB5CCNAME to identify the cache file. The cache
      file is stored in the /tmp directory. This module creates a unique
      cache file for every session.  The credential cache file can be
      destroyed using the Session management module.

      The following options may be passed to the authentication module
      through pam.conf(4):

      debug          This option allows syslog(3C) debugging information at
                     LOG_DEBUG level.

      krb_prompt     This option allows the administrator to change the
                     password prompt. When set, the password prompt
                     displayed is, Kerberos Password

      use_first_pass This option allows the initial password (entered when
                     the user is authenticated to the first authentication
                     module in the stack) to authenticate with Kerberos.  If
                     the user cannot be authenticated or if this is the
                     first authentication module in the stack, quit without
                     prompting for a password. It is recommended that this
                     option be used only if the authentication module is
                     designated as optional in the pam.conf(4) configuration
                     file.





 Hewlett-Packard Company            - 1 - PAM-Kerberos 1.10 (September 2002)






 pam_krb5(5)                                                     pam_krb5(5)




      try_first_pass This option allows the initial password (entered when
                     the user is authenticated to the first authentication
                     module in the PAM stack) to authenticate with Kerberos.
                     If the user cannot be authenticated or if this is the
                     first authentication module in the stack, prompt for a
                     password.

      forwardable    This option allows a ticket-granting ticket with a
                     different network address than the present ticketgranting
 ticket to be issued to the user. For
                     forwardable tickets to be granted, the user's account
                     in Kerberos must specify that the user can be granted
                     forwardable tickets.

      renewable=<time>
                     This option allows tickets issued to the user to be
                     renewed. For renewable tickets to be granted, the
                     user's account in Kerberos must specify that the user
                     can be granted renewable tickets.  The renewal time of
                     the ticket-granting ticket is specified by <time>.  The
                     form of time is the same as the one in kinit.

      proxiable      This option allows a ticket with a different network
                     address than the present ticket to be issued to the
                     user. For proxiable tickets to be granted, the user's
                     account in Kerberos must specify that the user can be
                     granted proxiable tickets.

      ignore         Returns PAM_IGNORE.  Generally this option should not
                     be used. But sometimes it may not be desirable or may
                     not be necessary to authenticate certain users (root,
                     ftp, ...) with Kerberos. In such cases you can use this
                     option in pam_user.conf(4) for per user configuration.
                     It is not recommended for you to use this option in
                     pam.conf(4).  See the examples section.

 Account Management Module    [Toc]    [Back]
      The account management module provides a function to perform account
      management.  This function retrieves the user's account and password
      expiration information from Kerberos database and verifies that they
      have not expired. The module does not issue any warning if the account
      or the password is about to expire.

      The following options can be passed to the Account Management module
      through pam.conf(4):

      debug          This option allows syslog(3C) debugging information at
                     LOG_DEBUG level.

      ignore         Returns PAM_IGNORE.  Generally this option should not
                     be used. But sometimes it may not be desirable or may



 Hewlett-Packard Company            - 2 - PAM-Kerberos 1.10 (September 2002)






 pam_krb5(5)                                                     pam_krb5(5)




                     not be necessary to authenticate certain users (root,
                     ftp, ...) with Kerberos. In such cases you can use this
                     option in pam_user.conf(4) for per user configuration.
                     It is not recommended for you to use this option in
                     pam.conf(4).  See the examples section.

 Password Management Module    [Toc]    [Back]
      The password management module provides a function to change passwords
      in the Kerberos password database. Unlike when changing a Unix
      password, root is always prompted for the user's old password.

      The following options can be passed into the password module through
      the pam.conf(4) file:

      debug          This option allows syslog(3C) debugging information at
                     LOG_DEBUG level.

      krb_prompt     This option allows the administrator to change the
                     password prompt. When set, the password prompt
                     displayed could be,  Old/New Kerberos Password

      use_first_pass This option allows the initial password (entered when
                     the user is authenticated to the first authentication
                     module in the stack) to authenticate with Kerberos. If
                     the user cannot be authenticated or if this is the
                     first authentication module in the stack, quit without
                     prompting for a password. It is recommended that this
                     option be used only if the authentication module is
                     designated as optional in the pam.conf(4) configuration
                     file.

      try_first_pass This option allows the initial password (entered when
                     the user is authenticated to the first authentication
                     module in the PAM stack) to authenticate with Kerberos.
                     If the user cannot be authenticated or if this is the
                     first authentication module in the stack, prompt for a
                     password.

      ignore         Returns PAM_IGNORE.  Generally this option should not
                     be used. But sometimes it may not be desirable or may
                     not be necessary to authenticate certain users (root,
                     ftp, ...) with Kerberos. In such cases you can use this
                     option in pam_user.conf(4) for per user configuration.
                     It is not recommended for you to use this option in
                     pam.conf(4).  See the examples section.

 Session Management Module    [Toc]    [Back]
      The session management module provides function to terminate sessions.
      It cleans up the credential cache file created by the Authentication
      module.




 Hewlett-Packard Company            - 3 - PAM-Kerberos 1.10 (September 2002)






 pam_krb5(5)                                                     pam_krb5(5)




      The following options can be passed into the session management module
      through the pam.conf(4) file:

      debug          This option allows syslog(3C) debugging information at
                     LOG_DEBUG level.

      ignore         Returns PAM_IGNORE.  Generally this option should not
                     be used. But sometimes it may not be desirable or may
                     not be necessary to authenticate certain users (root,
                     ftp, ...) with Kerberos. In such cases you can use this
                     option in pam_user.conf(4) for per user configuration.
                     It is not recommended for you to use this option in
                     pam.conf(4).  See the examples section.

 EXAMPLE    [Toc]    [Back]
      Following is a sample configuration in which no authentication is done
      with Kerberos for root ie. KRB5 PAM  module does nothing. It just
      returns PAM_IGNORE for user root.  For every user other than root, it
      will try to authenticate using Kerberos. If Kerberos succeeds, the
      user is authenticated. If Kerberos fails to authenticate the user, PAM
      will try to authenticate via UNIX PAM using same the password.
      PAM_IGNORE for user root.

      pam_user.conf:

       # configuration for user root. KRB5 PAM module uses the
       # ignore option and returns PAM_IGNORE

       root    auth     /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
       root    password /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
       root    account  /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
       root    session  /usr/lib/security/$ISA/libpam_krb5.so.1 ignore

      pam.conf:

       # For per user configuration the libpam_updbe.1 (pam_updbe(5)) module
       # must be the first module in the stack. If Kerberos authentication
       # is valid the UNIX authentication function will not be invoked.

       login   auth     required    /usr/lib/security/$ISA/libpam_updbe.so.1
       login   auth     sufficient  /usr/lib/security/$ISA/libpam_krb5.so.1
       login   auth     required    /usr/lib/security/$ISA/libpam_unix.so.1
      try_first_pass

       login   password required    /usr/lib/security/$ISA/libpam_updbe.so.1
       login   password required    /usr/lib/security/$ISA/libpam_krb5.so.1
       login   password required    /usr/lib/security/$ISA/libpam_unix.so.1
      try_first_pass

       login   account  required    /usr/lib/security/$ISA/libpam_updbe.so.1
       login   account  required    /usr/lib/security/$ISA/libpam_krb5.so.1



 Hewlett-Packard Company            - 4 - PAM-Kerberos 1.10 (September 2002)






 pam_krb5(5)                                                     pam_krb5(5)




       login   account  required    /usr/lib/security/$ISA/libpam_unix.so.1

       login   session  required    /usr/lib/security/$ISA/libpam_updbe.so.1
       login   session  required    /usr/lib/security/$ISA/libpam_krb5.so.1
       login   session  required    /usr/lib/security/$ISA/libpam_unix.so.1


 SEE ALSO    [Toc]    [Back]
      pam(3), pamkrbval(1), pam_authenticate(3), pam_setcred(3), syslog(3C),
      pam_close_session(3), pam.conf(4), pam_user.conf(4), pam_updbe(5),
      kinit, klist, kdestroy











































 Hewlett-Packard Company            - 5 - PAM-Kerberos 1.10 (September 2002)



[ Back ]
      
      
 Similar pages
Name OS Title
pam_unix HP-UX authentication, account, session, and password management PAM modules for UNIX
pam_hpsec HP-UX extended authentication, account, password, and session
pam_dce HP-UX authentication, account, and password management PAM functions for DCE
pam_ssh FreeBSD authentication and session management with SSH private keys
pam Linux Pluggable Authentication Modules for Linux
pam FreeBSD Pluggable Authentication Modules Library
openpam FreeBSD Pluggable Authentication Modules Library
pam.conf HP-UX configuration file for pluggable authentication modules
pam_user.conf HP-UX users configuration file for pluggable authentication modules
krb_mk_safe NetBSD Kerberos authentication library
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service